headers
Eddy Nigg (StartCom Ltd. | 1 Feb 2008 01:17
Favicon

Re: [OpenID] A couple of questions regarding OpenID...

Per Ekström wrote:

My first question is regarding the Phishing attacks that are mentioned at Wikipedia [1] - Are they still valid or is it just FUD that has been floating around since an old version of the standard?
I guess that's correct, as with anything that uses a user name and password for authentication. There is no difference of a phishing attempt of an online banking web site and an IDP, with different results perhaps. Phishing of banking sites will cost somebody money, whereas with OpenID it might be used for spamming and identity theft (whatever that implies).

There are however secure methods for authentication other than user/pass pairs and OpenID has an draft extension for this: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html

And second - While I know Man-In-The-Middle between user and OpenID-provider is quite easy to stave off, what about OpenID-provider and the website I'm trying to log in to? Whenever man-in-the-middle discussion about this appears, it's always in the form of User-to-OpenID-Provider, not the other way around.
The RP can require SSL of only known CAs. This should solve this concern mostly. But the provider will not send the authentication bits in any case, in most cases only a yes/no/cancel reply.

--
Regards 
 
Signer:  Eddy Nigg, StartCom Ltd.
Jabber:  startcom <at> startcom.org
Blog:  Join the Revolution!
Phone:  +1.213.341.0390
  
_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general
Permalink | Reply | 1 comment |
headers
Eric Norman | 1 Feb 2008 05:38
Picon
Gravatar

Re: [OpenID] A couple of questions regarding OpenID...


On Jan 31, 2008, at 6:17 PM, Eddy Nigg (StartCom Ltd.) wrote:

> Per Ekström wrote:
>>
>> My first question is regarding the Phishing attacks that are  
>> mentioned at Wikipedia [1] - Are they still valid or is it just  
>> FUD that has been floating around since an old version of the  
>> standard?
> I guess that's correct, as with anything that uses a user name and  
> password for authentication. There is no difference of a phishing  
> attempt of an online banking web site and an IDP, with different  
> results perhaps. Phishing of banking sites will cost somebody  
> money, whereas with OpenID it might be used for spamming and  
> identity theft (whatever that implies).

And let's not forget the phishing attacks where the relying party is
a rogue but the OpenID provider is genuine.  A miscreant may not
be able to swipe credentials that way, but may still acquire something
of value.

Eric Norman
Permalink | Reply | 0 comments |
headers
Chris Meyer | 1 Feb 2008 23:20
Picon

[OpenID] OpenID attribute exchange question

What is the "official" schema for the attribute exchange?


I notice that www.axschema.org defines several attributes; but they don't work on myopenid.com.

I notice that more are defined on openid.net... which are the ones to use?

Is there an "official" list yet? If so, can it be listed prominently on openid.net?

List 1:

List 2:

In addition, pip.verisignlabs.net doesn't seem to work with either one! It works with the simple registration parameters:


_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general
Permalink | Reply | 20 comments |
headers
Shreyas Doshi | 2 Feb 2008 00:43
Picon
Favicon

http://gallery.yahoo.com/openid

Fellow OpenID'ers,

The Yahoo! OpenID Provider service was launched on January 30 as a public beta. In case you missed the
announcement, you can read about it here:

http://developer.yahoo.net/blog/archives/2008/01/yahoo-openid-beta.html

Soon, we will be linking to Yahoo! Gallery ( http://gallery.yahoo.com/ ) from the Yahoo! OpenID product
pages (the "Find other OpenID sites" link when you click "OpenID Home" on any Yahoo! OpenID page). A few
websites have already listed themselves under the OpenID section ( http://gallery.yahoo.com/openid
). The goal of this gallery is to enable Yahoo! users to find websites where they can use their OpenID.

To list your website on Yahoo! Gallery, visit: 

http://gallery.yahoo.com/submit

and provide the requested information. As long as your website supports OpenID 2.0 (and you've verified
that it works with the Yahoo! OpenID Provider), the request should get approved by a moderator in short
order. If you are running into any issues with OpenID 2.0 integration, feel free to email us at
openid-feedback <at> yahoo-inc.com and we'd be happy to help out!

Thank you, and have a great weekend,

:Shreyas

ps: applications with OpenID 2.0 plug-ins can also be submitted
Permalink | Reply | 0 comments |
headers
Mark Cross | 2 Feb 2008 11:37
Picon

[OpenID] AE: How do you agree exchange type aliases collections?

I'm probably being really thick here, but I cannot find anything in the

http://openid.net/specs/openid-attribute-exchange-1_0-05.html

Which states what the aliases will be for a profile/persona, in a way
that could described as a XRDS document what a profile is going to
consist of.

I can see that individual fields are defined as:

openid.ax.type.fav_movie=http://example.com/schema/favourite_movie

But say for example I want to use the schemes at :
http://www.axschema.org/types/#sreg

For populating my profile in my OP, if I use the Verisigin PIP, I will
have to manually create each field, clearly this is madness. Surely I
want to just log into my OP, enter the URI of a XRDS which describes
and returns a collection of fields:

<profile name=pet>
<field>openid.ax.type.fname=http://example.com/schema/fullname</field>
<field>openid.ax.type.gender=http://example.com/schema/gender</field>
<field>openid.ax.type.fav_dog=http://example.com/schema/favourite_dog</field>
</profile>

This will then create the profile "pet" which I can fill define the
values for and also clone within my OP, I may have more than one pet.

And when I go to relying sites using the "pet" schema, defined at a
URI I can automatically elect to pass over my pet(n) attribute
exchange values.

Has this been previously defined, or are there better ways to do this?

Cheers Mark
Permalink | Reply | 0 comments |
headers
Martin Paljak | 2 Feb 2008 12:03
Picon
Gravatar

Re: [OpenID] OpenID attribute exchange question

Hi!
On Feb 2, 2008, at 12:20 AM, Chris Meyer wrote:
> What is the "official" schema for the attribute exchange?
>
> I notice that www.axschema.org defines several attributes; but they  
> don't work on myopenid.com.
>
> I notice that more are defined on openid.net... which are the ones  
> to use?

Taking into account that the authors of the attribute-properties are  
from sxip.com and the given spec is dated August 2006 and axschema.org  
is also a 'service from sxip' and the domain was registered in 2007, I  
believe axschema.org is 'newer and better'.

> Is there an "official" list yet? If so, can it be listed prominently  
> on openid.net?

That's a problem than needs to be addressed, true.

We're doing internal testing with python-openid and attribute exchange  
and we've built our sreg support around the conventions on axschema.org.

Anyone knows public RP-s out in the wild that do one of:
1. use ax
2. make use of update_url
3. use the OP to store attributes
4. use ax instead of sreg to get sreg data

Now that Yahoo is on board and pushing for all those shiny OpenID 2.0  
bits and pieces, tackling AX could be the next big thing to work on..

m.
--

-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495
Permalink | Reply | 1 comment |
headers
tom | 2 Feb 2008 12:33
Favicon

Re: [OpenID] OpenID attribute exchange question


Martin Paljak wrote:
> Hi!
> On Feb 2, 2008, at 12:20 AM, Chris Meyer wrote:
>   
>> What is the "official" schema for the attribute exchange?
>>
>> I notice that www.axschema.org defines several attributes; but they  
>> don't work on myopenid.com.
>>
>> I notice that more are defined on openid.net... which are the ones  
>> to use?
>>     
>
> Taking into account that the authors of the attribute-properties are  
> from sxip.com and the given spec is dated August 2006 and axschema.org  
> is also a 'service from sxip' and the domain was registered in 2007, I  
> believe axschema.org is 'newer and better'.
>
>   
>> Is there an "official" list yet? If so, can it be listed prominently  
>> on openid.net?
>>     
>
> That's a problem than needs to be addressed, true.
>   

In the spec it says "A reference example of defining attribute types is 
provided by axschema.org". I think this is enough isn't it? Not sure 
OpenID should provide official schemas for each extension - recommending 
a default (which axschema.org is) is enough isn't it?

> We're doing internal testing with python-openid and attribute exchange  
> and we've built our sreg support around the conventions on axschema.org.
>
> Anyone knows public RP-s out in the wild that do one of:
> 1. use ax
>   
We use it internally and we're about half way through re-writing our PHP 
OP/consumer with an extensions model. We'll use AX and continue to 
support SREG.

> 2. make use of update_url
> 3. use the OP to store attributes
>   
We do that. You can see each attribute you have entrusted to a website 
with our OP.

> 4. use ax instead of sreg to get sreg data
>   
We map SREG value to AX - it's not pretty though (just a lookup array) ;)

> Now that Yahoo is on board and pushing for all those shiny OpenID 2.0  
> bits and pieces, tackling AX could be the next big thing to work on..
>   
:) I hope so. I saw from the OpenIDDevCamp that David Recordon and 
Joseph Smarr started to document an OAuth extension which builds atop 
OpenID Attribute Exchange. We'll implement that as soon as we see it as 
it gives us huge flexibility in our product range!

tom

--

-- 
Tom Calthrop
Founding director, Barnraiser.

Dedicated to giving people the tools they need to share 
knowledge and advance society through social software.

Web site: http://www.barnraiser.org/
OpenID: http://tom.calthrop.info/
Permalink | Reply | 0 comments |
headers
Eddy Nigg (StartCom Ltd. | 2 Feb 2008 17:46
Favicon

[OpenID] pape.auth_time versus pape.auth_age

The PHP library (and examples) from openidenabled.com currently return in the Auth_OpenID_PAPE_Response function pape.max_auth_age. Reading the specs from http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html#anchor10 this should be however pape.auth_time. The sample consumer seems to be happy with that, but I think this to be a mistake...

Can somebody confirm that sending pape.max_auth_age is wrong and it should be pape.auth_time instead?

--
Regards 
 
Signer:  Eddy Nigg, StartCom Ltd.
Jabber:  startcom <at> startcom.org
Blog:  Join the Revolution!
Phone:  +1.213.341.0390
  
_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general
Permalink | Reply | 1169 comments |
headers
Mark Cross | 2 Feb 2008 18:42
Picon

[OpenID] AE: How do you agree exchange type aliases collections? (2nd post attempt)

(if this is a second post, gmail is running more than 6 hours behind...)

I'm probably being really thick here, but I cannot find anything in the

http://openid.net/specs/openid-attribute-exchange-1_0-05.html 
<http://openid.net/specs/openid-attribute-exchange-1_0-05.html>

Which states what the aliases will be for a profile/persona, in a way
that could described as a XRDS document what a profile is going to
consist of.

I can see that individual fields are defined as:

openid.ax.type.fav_movie=http:
//example.com/schema/favourite_movie

But say for example I want to use the schemes at :
http://www.axschema.org/types/#sreg <http://www.axschema.org/types/#sreg>

For populating my profile in my OP, if I use the Verisigin PIP, I will
have to manually create each field, clearly this is madness. Surely I
want to just log into my OP, enter the URI of a XRDS which describes
and returns a collection of fields:

<profile name=pet>
<field>openid.ax.type.fname=http://example.com/schema/fullname</field>
<field>openid.ax.type.gender=http://example.com/schema/gender</field>
<field>openid.ax.type.fav_dog=http://example.com/schema/favourite_dog</field>
</profile>

This will then create the profile "pet" which I can fill define the
values for and also clone within my OP, I may have more than one pet.

And when I go to relying sites using the "pet" schema, defined at a
URI I can automatically elect to pass over my pet(n) attribute
exchange values.

Has this been previously defined, or are there better ways to do this?

Cheers Mark
Permalink | Reply | 1 comment |
headers
Jonathan Daugherty | 2 Feb 2008 18:47

Re: [OpenID] pape.auth_time versus pape.auth_age

>  Can somebody confirm that sending pape.max_auth_age is wrong and it should
> be pape.auth_time instead?

Hi Eddy,

The PHP library implements Draft 1 of PAPE, not Draft 2.  The same is
true of the other openidenabled.com implementations.

--

-- 
  Jonathan Daugherty
Permalink | Reply | 0 comments |

Gmane